All investment advisory fiduciaries should take note that the US government and many other regulators are upping the stakes for those responsible for cybersecurity risk. Recently, Uber’s former Security Chief was convicted by the US Attorneys Office on charges of obstruction of justice for failing to report an incident to the Federal Trade Commission. The hack occurred in 2016 while the company was already cooperating in an investigation conducted by the FTC for a different incident. When two hackers threatened to release sensitive information pertaining to 57 million riders and 60,000 drivers if the company did not pay them $100,000, Uber paid the bounty but failed to report the incident for fear of extending the already ongoing investigation.
What You Need to Know
- This is the first reported proceeding in which an individual executive has faced a criminal trial over a data breach
- Two hackers threatened to release sensitive information pertaining to 57 million riders and 60,000 drivers
- Uber paid the hackers $100,000 and did not report the incident, allegedly under the watch of Joe Sullivan, its security chief
- Sullivan was a former member of the US Attorney’s Office and cybercrime unit; the same office that prosecuted this action against him
- He was convicted in San Francisco on one count of obstruction of justice and one count of concealing a felony
- Sullivan faces a maximum sentence of five years in prison for obstruction of justice, and up to three years for failing to report the incident
Align's Takeaways
- Cybersecurity Risk is not merely “existential” and “systemic” but now apparently its potentially criminal
- This conviction demonstrates that regulators have crossed the Rubicon on cybersecurity risk management, by imputing individual and criminal liability on cybersecurity professionals, rather than the business as an entity.
- Consistent with the rising tide of fines, penalties, and other deterrents designed to force compliance with prevailing cybersecurity standards, adding the arrow of individual liability to the federal quiver is yet another high watermark of which all fiduciaries and cyber professionals, including the C-Suite and Board Directors, must be aware.
- The case seems to find liability in the absence of evidence that the subject data set was in fact accessed, exfiltrated, or otherwise breached. If in fact there was no actual evidence of a breach, the question of what violation serves as the underpinning of the conviction, looms against the cybersecurity professional community.
Do you have other cybersecurity concerns?
If so, we advise you to contact the Align Managed Services team at help@align.com or via phone
at +1 855-IT-ALIGN (1-855-482-5446)
Thank you,
The Align Team
